Headline
CVE-2023-22307: Fix Site-Passwords in GET parameters
Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before 1.6.4 allows local attacker to retrieve passwords via reading log files.
Component
Firmware
Title
Fix Site-Passwords in GET parameters
Date
Mar 31, 2023
Appliance Version
1.6.4
Level
Trivial Change
Class
Bug Fix
Compatibility
Incompatible - Manual interaction might be required
Prior to this Werk when creating a Site with webconf the Password for administrator and the Password specified in Authentication via Password were submitted as GET parameters and therefore logged in the Apache access log.
We found this vulnerability internally.
Manual Steps: You should change all passwords set via webconf.
Vulnerability Management: We have rated the issue with a CVSS Score of 5.5 (Medium) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. We assigned CVE-2023-22307 to this vulnerability.
Changes: This Werk changes the HTTP method of these forms to POST.
To the list of all Werks